Why GDPR is flipping the thought process around data ownership

Share

Written by

A lot of the discussion around GDPR has focused on individual privacy.

Thomas Fischer says that’s not what the law is about. It’s about data protection. And the noise around that point is a big misconception.

Fischer spoke with CyberScoop for our new podcast series, Decoding GDPR, in order to get the facts straight when it comes to the European law.

“It’s not about protecting the individual’s privacy, it’s protecting personal data,” says Fischer, a global security advocate based in London. “The GDPR actually says that it’s there to re-appropriate the person’s data, so that the person owns it. That’s a complete mind shift. If you think about it, companies collect data and think “OK, I’m collecting this data, I own this data, this is my data.'”

That mind shift is something companies will have to embrace if they want to be in tune with the law once it goes into effect in May. Companies of all sizes will not only have to shore up their data security practices, but also make it easy for EU citizens to obtain their data whenever they see fit.

“Imagine suddenly you know you go to Google and say ‘Well, you know the personal emails that you have in my inbox, I’m only allowing you to store them in my inbox, you can’t do anything with them because you know my rights say that this is my data.’ So I can decide what I want to do with my data, and I’m not allowing you to for example scrape it to target ads to me of things like that,” Fischer said. “Companies should be thinking, ‘what do I need to do to be able to respond to any requests…Can I prove that I’ve done everything possible to protect that data.’”

Fischer also talks about things beyond the GDPR that companies still have to look out for, including EU citizens’ right to be forgotten.

“Think of the Googles, the Amazons, the Facebooks, because while you know your personal data is there and they using it for whatever reasons… but if I want to check that reason I’m going out to call them and say ‘Hey guys can you tell me exactly what you’re doing there? Can you demonstrate what you’re doing with my data?” he says.

The resources needed to handle those requests is something that Fischer says companies need to be cognizant of, instead of rushing to be compliant by May 25.